Ruleset Update Summary - 2023/08/23 - v10401

Ruleset Updates
1

Summary:

13 new OPEN, 13 new PRO (13 + 0)

Thanks @suyog41, @Gi7w0rm, @Cyberuptive, @symantec

Added rules:

Open:

  • 2047705 - ET PHISHING Ferest Smuggler Request M1 (phishing.rules)
  • 2047706 - ET PHISHING Ferest Smuggler Request M2 (phishing.rules)
  • 2047707 - ET HUNTING Redirect via HTTP 300 to URI Shortening Service (rb .gy) (hunting.rules)
  • 2047708 - ET HUNTING Redirect via HTTP 300 to URI Shortening Service (rb .gy) with Fragment Identifier (hunting.rules)
  • 2047709 - ET HUNTING Redirect via HTTP 300 to URI Shortening Service (sprl .in) (hunting.rules)
  • 2047710 - ET HUNTING Redirect via HTTP 300 to URI Shortening Service (alturl .com) (hunting.rules)
  • 2047711 - ET INFO URI Shortening Domain in DNS Lookup (sprl .in) (info.rules)
  • 2047712 - ET INFO URI Shortening Domain in DNS Lookup (alturl .com) (info.rules)
  • 2047713 - ET INFO Observed URI Shortening Service Domain (alturl .com in TLS SNI) (info.rules)
  • 2047714 - ET INFO Observed URI Shortening Service Domain (sprl .in in TLS SNI) (info.rules)
  • 2047715 - ET MALWARE Carderbee APT Related Activity (malware.rules)
  • 2047716 - ET MALWARE Win32/NewsRat CnC Exfil via Telegram (POST) (malware.rules)
  • 2047717 - ET MALWARE LNK/Unknown Downloader CnC Checkin (POST) (malware.rules)

Disabled and modified rules:

  • 2044601 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain (sede .lamarinadevalencia .com) (malware.rules)
  • 2044602 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain (abba-servicios .mx) (malware.rules)
  • 2044605 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain (webinternal .anyplex .com) (malware.rules)
  • 2044607 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain (ruscheltelefonia .com .br) (malware.rules)
  • 2044609 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain (keewoom .co .kr) (malware.rules)
  • 2044610 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain (olidhealth .com) (malware.rules)
  • 2044611 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain (mantis .quick .net .pl) (malware.rules)
  • 2044612 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain (toptradenews .com) (malware.rules)
  • 2044613 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain (crickethighlights .today) (malware.rules)
  • 2045007 - ET MALWARE Observed DNS Query to Gamaredon Domain (atonpi .ru) (malware.rules)
  • 2045008 - ET MALWARE Observed DNS Query to Gamaredon Domain (akenatonbo .ru) (malware.rules)
  • 2045009 - ET MALWARE Observed DNS Query to Gamaredon Domain (aktaypo .ru) (malware.rules)
  • 2045010 - ET MALWARE Observed DNS Query to Gamaredon Domain (anumbo .ru) (malware.rules)
  • 2045011 - ET MALWARE Observed DNS Query to Gamaredon Domain (amonbo .ru) (malware.rules)
  • 2045012 - ET MALWARE Observed DNS Query to Gamaredon Domain (asheypi .ru) (malware.rules)
  • 2045013 - ET MALWARE Observed DNS Query to Gamaredon Domain (aydinpo .ru) (malware.rules)
  • 2045014 - ET MALWARE Observed DNS Query to Gamaredon Domain (azibobo .ru) (malware.rules)
  • 2045015 - ET MALWARE Observed DNS Query to Gamaredon Domain (addzhobo .ru) (malware.rules)
  • 2045016 - ET MALWARE Observed DNS Query to Gamaredon Domain (altugpo .ru) (malware.rules)
  • 2045017 - ET MALWARE Observed DNS Query to Gamaredon Domain (agshinpo .ru) (malware.rules)
  • 2045018 - ET MALWARE Observed DNS Query to Gamaredon Domain (velevas .ru) (malware.rules)
  • 2045019 - ET MALWARE Observed DNS Query to Gamaredon Domain (akyuldizpo .ru) (malware.rules)
  • 2045020 - ET MALWARE Observed DNS Query to Gamaredon Domain (garame .ru) (malware.rules)
  • 2045021 - ET MALWARE Observed DNS Query to Gamaredon Domain (alpaslanpo .ru) (malware.rules)
  • 2045022 - ET MALWARE Observed DNS Query to Gamaredon Domain (adempo .ru) (malware.rules)
  • 2045023 - ET MALWARE Observed DNS Query to Gamaredon Domain (uranic .ru) (malware.rules)
  • 2045024 - ET MALWARE Observed DNS Query to Gamaredon Domain (agasypo .ru) (malware.rules)
  • 2045025 - ET MALWARE Observed DNS Query to Gamaredon Domain (ayrympo .ru) (malware.rules)
  • 2045035 - ET MALWARE Observed DNS Query to Nemesis Domain (es-megadom .com) (malware.rules)
  • 2045036 - ET MALWARE Observed DNS Query to Nemesis Domain (plus-lema .com) (malware.rules)
  • 2045184 - ET MALWARE DNS Query to Blind Eagle Domain (dfdagsdsag .con-ip .com) (malware.rules)
  • 2045237 - ET MALWARE DNS Query to MageCart Domain (genlytec .us) (malware.rules)
  • 2045238 - ET MALWARE DNS Query to MageCart Domain (pyatiticdigt .shop) (malware.rules)
  • 2045239 - ET MALWARE DNS Query to MageCart Domain (shumtech .shop) (malware.rules)
  • 2045240 - ET MALWARE DNS Query to MageCart Domain (interytec .shop) (malware.rules)
  • 2045241 - ET MALWARE DNS Query to MageCart Domain (stacstocuh .quest) (malware.rules)
  • 2045242 - ET MALWARE DNS Query to MageCart Domain (daichetmob .sbs) (malware.rules)
  • 2045243 - ET MALWARE DNS Query to MageCart Domain (zapolmob .sbs) (malware.rules)
  • 2045271 - ET MALWARE DNS Query to RokRat Domain (link .b4a .app) (malware.rules)
  • 2045272 - ET MALWARE DNS Query to RokRat Domain (daum-store .com) (malware.rules)
  • 2045273 - ET MALWARE DNS Query to RokRat Domain (docx1 .b4a .app) (malware.rules)
  • 2045274 - ET MALWARE DNS Query to RokRat Domain (nate-download .com) (malware.rules)
  • 2045275 - ET MALWARE DNS Query to RokRat Domain (naver-file .com) (malware.rules)
  • 2045646 - ET MALWARE DNS Query to TA444 Domain (morganstanleycorp .co .uk) (malware.rules)
  • 2046822 - ET MALWARE [ANY.RUN] DNS Query to Konni APT Domain (cachecast001 .com) (malware.rules)
  • 2046823 - ET MALWARE [ANY.RUN] DNS Query to Konni APT Domain (elinline .com) (malware.rules)
  • 2854244 - ETPRO MALWARE Observed DNS Query to AgentTesla Domain (malware.rules)